Good morning Protect!
Lets try this again, I feel like i'm making progress with this, I just can't get the final piece. I currently have this:
I have an action to set event field device custom string 4 to $output and when the rule fires my correlated event just has $output in device custom string 4. Why isn't this working? this particular event $message is a unix log and has 30+ digits and I just want the username.
It may also be possible to do this:
But I'm not entirely sure if that would work. That just adds a ".*" saying everything before "user:", but that part might match on "user:" as well and not produce anything. Worth a try if you don't see an easy fix for the regex.
I have a quick question for you. Are you aggregating your message field up from the base event? Does your correlated rule fire show the correct message?
I am, i do receive the correct event.message in the correlated event. I'm aggregating on identical event.name event.message and device custom string 4
I don't believe you need to assign $message to $string since you can directly say :
As far as you regex is concerned, I can't validate it without knowing the content it's trying to evaluate. One thing is for sure, if you're getting $output as a value then the evaluate_velocity_template function did not produced anything valid.
If you haven't validated your regex I would advise to do so with a site like http://www.regex101.com
That is correct, you can simply use $message in the place of $string. Instead of having your replace condition in a variable, try using it in your event field directly. Right now you have $output in your device custom string 4 field, change that to:
As Michel said, we won't be able to validate your output since we don't have the same thing to check, but assuming your regex is correct that should produce what you want it to.
This is me just trying to learn how to extract a string the message in question
: Authentication <failure> for <Active Directory> user: <usernname> account: <domain\username> service: <service> reason: <>
let me clarify something,
am I supposed to create a variable calling $message.replaceAll or am I supposed to set an action where dcs4=$message.replaceAll(regex)
Set the action to dcs4=$message.replaceAll(regex)
That should at least change the output in the dsc4 field. If it's not correct then but it's no longer just the variable string, then you will know that your regex isn't working correctly and you'll be able to fix it from there.
Based on the regex you provided earlier you are looking to start your replace on the "space" after the "user:" and end on the ":" after "account". If that's not going to be what you want I would recommend adding a space in your regex to both the start and end of the replace expression. Below is an example:
dcs4=$message.replaceAll('user: ([^\s]+) account','$1')
I have no way of confirming if this works or not at the moment since I don't have any events that look like that, but hopefully that spurs some ideas if your original doesn't work.
I've removed the local variable and put that directly into the action set event field for dcs4 this is what happens. I noticed I had an extra ' in there and removed that but it still produces the same.
I may be wrong but you should be able to find the problem with your velocity variable in the arcsight/manager/velocity.log.
Did you take a look ?
Can you try putting this in the dcs4 field: $message.replaceAll('user: ([^\s]+).*','$1')
This appears to be working just fine on my end. When you try that can you also provide a screenshot of your action field to verify that it looks correct as well?
Okay so a little bit of progress, the string is working on the action. I may have not been waiting long enough for the rule engine to apply the change I made. However i will show you the string before and after variable is applied
Authentication <failure> for <Active Directory> user: <usernname> account: <domain\username> service: <service> reason: <>
Authentication <failure> for <Active Directory> <usernname> <domain\username> service: <service> reason: <>
its just stripping "User:" and "Account:" when I actually want what follows user, and i dont care about account...However this is just a regex problem and I'll just need to research more and figure out how to extract what i need
Great! Give the regex I provided you above a try and see what it does for you. I can walk you through what it's doing if you need.
Sorry, I just realized you have things before "user:". So here's a modified version of the regex that I think should work.
$message.replaceAll('Authentication [^\s]+ for [^\s]+ user: ([^\s]+).*','$1')
Sometimes the rules engine can take up to 5 minutes to apply a change I've noticed. If possible I would recommend creating a channel that's very small and has the events you want in it and use that to test your rule. It'll be much faster.